Important update: iTunes backups are secure again in iOS 10.1

Gepostet von Catalina Butnaru,
12th Oktober 2016

iOS 10 has reached 65% adoption rate amongst all Apple users according to a near real-time user adoption report from Mixpanel. Adoption rate for iOS 10 started slower after launch, and picked up speed over the past 2 weeks. Official stats on Apple’s developer page show that only 54% of devices are currently running iOS 10. That’s roughly half a billion active devices. Theoretically, the security flaw introduced for encrypted iOS 10 iTunes backups might have affected a significant proportion of users who use this encryption feature.

The backup encryption feature is manually turned on by users who want to encrypt data including wi-fi settings, browser history, health data and passwords. The only thing that stands between your private information and hackers is your password. Hence, the security flaw affecting iTunes passwords caused such a stir earlier in September. The wait is over!

We’ve just discovered Apple introduced a fix in iOS 10.1 beta 2 and 3 that addresses this issue, which reverts the encryption method to the one used in iOS 9.

The security flaw in early iOS 10 is now fixed

In iOS 10, Apple has made a number of changes to encrypted or password protected iTunes backups. Some included encrypting key pieces of information known as metadata about backups, such as the date on which files were last modified, their size, and additional information needed to decrypt them.

Early iOS 10 backups included a password hash used to verify if the user has entered the correct password to decrypt the backup. This made it much easier for hackers to use brute force to crack the passwords of encrypted backups. To break the encryption, an attacker simply needed to try thousands of passwords in quick succession until they found one that matched the password hash.

In the latest beta of iOS 10.1, Apple have fixed this security flaw by removing the new password hash from encrypted iOS 10.1 backups.

Arguably, alternative encryption methods exist for scenarios where authentication is required. Thus, the easiest and fastest solution was to essentially roll back the security mechanism to how it was before the flaw was introduced.

In any case, one thing is important to remember: encryption strength is always dependent on the strength of your password. Always use randomised characters and non-alphanumeric ones to increase your password’s strength. Cracking a password using a password hash is made much more difficult if you use a strong password.

iPhone Backup Extractor works with the newest iTunes encrypted backups

Our iOS team investigated this change in encrypted iTunes backups, and updated iPhone Backup Extractor to be compatible with the most recent iOS version.

If you’re already using iPhone Backup Extractor, and are updating to iOS 10.1, please download the latest iPhone Backup Extractor to continue recovering deleted or missing files from iTunes backups made with the most recent iOS version. iPhone Backup Extractor continues to be compatible with older iOS versions as well.

As a company, data privacy and security are in our DNA. The iPhone Backup Extractor is built to ensure compatibility with all extra security measures made available to Apple users, ensuring that our product is used lawfully by legitimate iTunes and iCloud users who pass all authentication stages associated with accessing a backup either locally or in the cloud.